[cas-user] Re: CAS 5.2.2 with MFA using Google Authenticator / GAuth

Mon, 19 Feb 2018 10:35:03 -0800 

I'm still getting this error when I use in memory storage. MongoDB is 
disabled.

Qrcode is generated, google app scans it, token field appears and any token 
that I type provides error.

2018-02-15 09:31:13,970 DEBUG 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<[GoogleAuthenticatorAuthenticationHandler] exception details: [Failed to 
authenticate code *253227*].>
2018-02-15 09:31:13,971 DEBUG 
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
 
- <Credential is not one of username/password and is not accepted by 
handler [LdapAuthenticationHandler]>
2018-02-15 09:31:13,972 ERROR 
[org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
<*Authentication 
has failed. Credentials may be incorrect or CAS cannot find authentication 
handler that supports [[token=253227]] of type 
[GoogleAuthenticatorTokenCredential]*.>


Can anybody help me ?


W dniu czwartek, 15 lutego 2018 09:53:52 UTC+1 użytkownik Janina Byky 
napisał:
>
> Hello,
>
> I'm trying to setup CAS 5.2.2 with Google Authenticator as second auth 
> factor for specified services. CAS is running over LDAP (AD) and GAuth 
> based on mongo. So far everything was great, build succeed, GAuth qrcode 
> appears, user registers and now it's time for TOKEN form. I'm typing all 
> scratch codes and those generated by Google Authenticator, but every single 
> attempt is unsuccessful. Also there's no collection created to store tokens 
> in mongo. Only GAuthRepository is created with proper values of registered 
> users.
>
> *cas.properties*
>
> cas.authn.accept.users=
>
> cas.authn.ldap[0].order=0
> cas.authn.ldap[0].type=AUTHENTICATED
> cas.authn.ldap[0].ldapUrl={CUT}
> cas.authn.ldap[0].connectionStrategy=DEFAULT
> cas.authn.ldap[0].useSsl=true
> cas.authn.ldap[0].connectTimeout=15000
> cas.authn.ldap[0].subtreeSearch=true
> cas.authn.ldap[0].baseDn={CUT}
>
> cas.authn.ldap[0].userFilter=(|(sAMAccountName={user})(userPrincipalName={user}))
> cas.authn.ldap[0].bindDn={CUT}
> cas.authn.ldap[0].bindCredential={CUT}
> cas.authn.ldap[0].enhanceWithEntryResolver=true
> cas.authn.ldap[0].principalAttributeId=sAMAccountName
> cas.authn.ldap[0].principalAttributePassword=
> cas.authn.ldap[0].usePasswordPolicy=true
>
> cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,sAMAccountName,memberOf
> cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
> cas.authn.ldap[0].poolPassivator=NONE
> cas.authn.ldap[0].minPoolSize=2
> cas.authn.ldap[0].maxPoolSize=15
>
>
> cas.authn.mfa.globalProviderId=mfa-gauth
> cas.authn.mfa.globalFailureMode=CLOSED
>
> cas.authn.mfa.gauth.issuer=TEST
> cas.authn.mfa.gauth.codeDigits=6
> cas.authn.mfa.gauth.timeStepSize=60
> cas.authn.mfa.gauth.windowSize=3
> cas.authn.mfa.gauth.label=TEST
> cas.authn.mfa.gauth.rank=0
>
> cas.authn.mfa.gauth.cleaner.enabled=true
> cas.authn.mfa.gauth.cleaner.schedule.startDelay=20000
> cas.authn.mfa.gauth.cleaner.schedule.repeatInterval=60000
>
> cas.authn.mfa.gauth.bypass.type=DEFAULT
>
> cas.authn.mfa.gauth.mongo.clientUri=${mongo.uri}
> cas.authn.mfa.gauth.mongo.dropCollection=false
> cas.authn.mfa.gauth.mongo.collection=GAuthRepository
>
> cas.authn.mfa.gauth.mongo.tokenCollection=GoogleAuthenticatorMongoDbTokenRepository
>
>
>
> *pom.xml*
>
>         <dependency>
>             <groupId>org.apereo.cas</groupId>
>             <artifactId>cas-server-webapp${app.server}</artifactId>
>             <version>${cas.version}</version>
>             <type>war</type>
>             <scope>runtime</scope>
>         </dependency>
>         <dependency>
>             <groupId>org.apereo.cas</groupId>
>             <artifactId>cas-server-support-ldap</artifactId>
>             <version>${cas.version}</version>
>         </dependency>
>         <dependency>
>             <groupId>org.apereo.cas</groupId>
>             <artifactId>cas-server-support-saml</artifactId>
>             <version>${cas.version}</version>
>         </dependency>
>         <dependency>
>             <groupId>org.apereo.cas</groupId>
>             <artifactId>cas-server-support-gauth</artifactId>
>             <version>${cas.version}</version>
>         </dependency>
>         <dependency>
>             <groupId>org.apereo.cas</groupId>
>             <artifactId>cas-server-support-gauth-mongo</artifactId>
>             <version>${cas.version}</version>
>         </dependency>
>
>
> *catalina.log*
>
> 2018-02-15 09:31:13,952 DEBUG 
> [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver]
>  
> - <Authentication handlers used for this transaction are 
> [GoogleAuthenticatorAuthenticationHandler,LdapAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler]>
> 2018-02-15 09:31:13,953 DEBUG 
> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - 
> <Received OTP [*253227*]>
> 2018-02-15 09:31:13,954 DEBUG 
> [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler] - 
> <Received principal id *[j.byky*]>
> 2018-02-15 09:31:13,970 DEBUG 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <[GoogleAuthenticatorAuthenticationHandler] exception details: [Failed to 
> authenticate code *253227*].>
> 2018-02-15 09:31:13,971 DEBUG 
> [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
>  
> - <Credential is not one of username/password and is not accepted by 
> handler [LdapAuthenticationHandler]>
> 2018-02-15 09:31:13,972 ERROR 
> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - 
> <*Authentication 
> has failed. Credentials may be incorrect or CAS cannot find authentication 
> handler that supports [[token=253227]] of type 
> [GoogleAuthenticatorTokenCredential]*.>
> 2018-02-15 09:31:13,976 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
> trail record BEGIN
> =============================================================
> *WHO: 253227*
> *WHAT: Supplied credentials: [[token=253227]]*
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Thu Feb 15 09:31:13 CET 2018
> CLIENT IP ADDRESS: 10.100.100.20
> SERVER IP ADDRESS: 10.40.0.2
> =============================================================
>
> >
> 2018-02-15 09:31:13,978 ERROR 
> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 
> <1 errors, 0 successes>
> org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 
> successes
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.evaluateFinalAuthentication(PolicyBasedAuthenticationManager.java:400)
>  
> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticateInternal(PolicyBasedAuthenticationManager.java:380)
>  
> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager.authenticate(PolicyBasedAuthenticationManager.java:220)
>  
> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
> at 
> org.apereo.cas.authentication.PolicyBasedAuthenticationManager$$FastClassBySpringCGLIB$$90e801d3.invoke(<generated>)
>  
> ~[cas-server-core-authentication-5.2.2.jar:5.2.2]
> at 
> org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) 
> ~[spring-core-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> at 
> org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:738)
>  
> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> at 
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
>  
> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> at 
> org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85)
>  
> ~[spring-aop-4.3.12.RELEASE.jar:4.3.12.RELEASE]
> at 
> org.apereo.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:134)
>  
> ~[inspektr-audit-1.8.0.GA.jar:1.8.0.GA]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
> ~[?:1.8.0_162]
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
> ~[?:1.8.0_162]
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  
> ~[?:1.8.0_162]
> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_162]
> ...
>
> 2018-02-15 09:31:13,982 INFO 
> [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit 
> trail record BEGIN
> =============================================================
> WHO: *253227*
> WHAT: [event=error,timestamp=Thu Feb 15 09:31:13 CET 
> 2018,source=OneTimeTokenAuthenticationWebflowEventResolver]
> ACTION: AUTHENTICATION_EVENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Thu Feb 15 09:31:13 CET 2018
> CLIENT IP ADDRESS: 10.100.100.20
> SERVER IP ADDRESS: 10.40.0.2
> =============================================================
>
>
>
> Can anybody tell me what I'm missing?
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b5f6b0d6-1a89-4ada-a8d1-b2440c822bbf%40apereo.org.

Reply via email to